Mar 16, 2012

Setting up BIND to secure DNS with DNSSEC (II)

Let's continue with the second part of the article titled Setting up BIND to secure DNS with DNSSEC. First up, we have to know that the default configuration of BIND on CentOS 6 allows to use directly DNSSEC.

To begin with, we are going to generate the ZSK (it takes care of signing the records of the zone file) and KSK (it takes care of signing the ZSK) keys. Each command turns out two key pair files, public (.key) and private (.private). Pay attention to the permissions of the private keys. As you can guess, only root has access to the files.

At this moment, we are able to sign the zone. The last argument of the command is the zone file and through the "-o" option, we can indicate the zone origin. This order creates a new version of the zone file by adding NSEC and RRSIG records.

Subscribe to

Follow by Email

About the author...

Javier Andrés Alonso has got a Master's Degree in Telecommunication Engineering and a Bachelor's Degree in Telecommunication Technical Engineering (specialising in Telematics), from the Polytechnic School of the University of Alcalá de Henares.